PCI Requirement 12.4: What It’s About & What It Means for You

What the PCI Requirement 12.4 means for you and your business.

Changes to the PCI Requirement 12.4 were released in April 2016 and raised an endless amount of questions. Thankfully, we’re going to explain some of the changes and what they mean for third party service providers and merchants. With this being said, here’s a look at what the PCI Requirement 12.4 means for you and your business.

Why Updates Were Made

Updates to the PCI Requirement were made simply because of the consistently rising rates of data breaches. In 2015 alone, there was 3,930 breaches that exposed over 736 million records (according to a report by Cyber Risk Analytics). With 288 breaches being incidents involving third parties and 64.6% of the breaches from hacking, updates had to be made to protect customers and ownership of their private information.

Although the security market has dramatically changed over the past decade, the collateral damage associated with a data breach has only gotten worse. PCI has been very forceful in regards to the needs of contractual language between service providers, vendors, and third parties so that data is protected within their guidelines.

PCI Requirement 12.4: What’s New?

Such new requirements added to the PCI Requirement 12.4 are:

For your information security policy, define the executive’s role and how it is related to the data security as a whole.

For assessors, a requirement of the audit cycle is see how well Executive Leadership is disseminated and ingrained into everyday operations. If a customer can reach customer service and receive a consistent/concise response, the requirement has been met.

For merchants, third parties, and service providers, each party needs to state their role and what they’re doing to ensure data security on their end. This means that each party needs to state specific responsibilities, service lines, groups, and divisions within their organization to meet the new requirements of PCI Requirement 12.4.

Lastly, assessors are searching for organizations that effectively communicate how important security is for their organization and make it part of the company’s culture. Explaining how the organization is held accountable, designed, and structured in regards to client data is needed as part of the requirements (which is in addition to previous PCI requirements).

So in consideration of the information above, it’s important to see where your business stands in regards to the PCI Requirement 12.4. Thankfully, Data Magic Computer Services is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (469) 635-5500 or send us an email at helpme@datamagicinc.com for more information.